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SYSTEMS AND METHODS FOR PROVIDING DYNAMIC NETWORK 
AUTHORIZATION, AUTHENTICATION AND ACCOUNTING 

5 CROSS-REFERENCE TO RELATED APPLICATIONS 

This application is a continuation-in-part of copending U.S. Patent Application 
Serial No. 09/458,569, filed on December 8, 1999, titled "Systems And Methods For 
Redirecting Users Having Transparent Computer Access To A Network Using A 
Gateway Device Having Redirection Capability". This application also claims priority 

10 from U.S. Application Serial No. 09/458,602, filed December 8, 1999, titled "Systems 
and Methods For Authorizing, Authenticating and Accounting Users Having Transparent 
Computer Access To A Network Using A Gateway Device," U.S. Provisional 
AppUcation Serial No. 60/161,182, filed October 22, 1999, titled "Systems and Methods 
for Dynamic Bandwidth Management on a Per Subscriber Basis in a Computer 

15 Network," U.S. Provisional Application Serial No. 60/160,890, filed October 22, 1999, 
titled "Systems and Methods for Creating Subscriber Tunnels by a Gateway Device in a 
Computer Network," U.S. Provisional Application Serial No. 60/161,139, filed October 
22, 1999, titled "hiformation And Control Console For Use Willi A Network Gateway 
Interface," U.S. Provisional Application Serial No. 60/161,189, filed October 22, 1999, 

20 titled "Systems and Methods for Transparent Computer Access and Communication with 
a Service Provider Network Using a Network Gateway Device," U.S. Provisional 
Application Serial No. 60/160,973, filed October 22, 1999, titled "Systems and Methods 
for Enabling Network Gateway Devices to Communicate with Management Systems to 
Facilitate Subscriber Management," U.S. Provisional Application Serial No. 60/161,181, 

25 filed October 22, 1999, titled "Gateway Device Having an XML Interface and Associated 
Method," and U.S. Provisional AppUcation Serial No. 60/161,093, filed October 22, 
1999, titled "Location-Based Identification and Authorization for use With a Gateway 
Device." All of the above applications are incorporated by reference in thek entirety. 
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FIELD OF THE INVENTION 
The present invention relates generally to systems and methods for controlling 
network access, and more particularly, to systems and methods for establishing dynamic 
user network access. 

5 

BACKGROUND OF THE INVENTION 
User access to computer networks has traditionally been based upon a two step 
authentication process that either provides a user total network access, or refuses the user 
any access whatsoever. In the first step of the process, a user establishes a 

1 0 communication link with a network via a telephone Ime, dedicated network connection 
(e.g., Broadband, Digital Signal Line (DSL)), or the like. In the second step of the 
authentication process, the user must uiput identification information to gain access to the 
network. Typically, the input identification information includes a user name and 
password. Using this information, the network or service provider verifies that the user is 

1 5 entitled to access the network by determining whether the identification information 
matches subscriber information contained in a subscriber table (or database) that stores 
identification information for all users authorized to access the network. Where user 
mput information matches subscriber data in the subscriber table, the user is authorized to 
access any and all services on the network. On the other hand, if the user input 

20 identification information fails to match subscriber data in the table, the user will be 
denied access to the network. Thus, once a user 's identity is compared to data stored 
within a subscription table, the user is either entitled network access, or denied access 
altogether. Furthermore, where the user is authorized access to the network, the user is 
typically authorized to access any destination accessible via the network. Therefore, 

25 conventional authentication of users is based on an all-or-nothmg approach to network 
access. 

In many conventional network access applications, such as in conventional 
Internet access applications, the subscriber database (or table) not only stores data 
corresponding to the identity of subscribers authorized to access the network, but also 
30 stores information that can vary based upon the particular subscriber. For instance, the 
subscriber database can include subscriber profiles that indicate the type of access a 
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subscriber should receive, and other related information, such as the fees due by the 
subscriber for network access. Although information in the subscriber database may vary 
from user to user, information unique to the database is generally used for billing or 
network maintenance purposes. For instance, conventional subscriber databases typically 

5 include data such as the cost the subscriber is paying for network access, and the amount 
of time the subscriber has accessed tiie network. Thus, where a subscriber to an Internet 
Service Provider (ISP) has purchased Internet access, a source profile database may 
contain information that enables a user to be authenticated and tracks the user's access for 
accounting purposes, such as maintaining a log of the user's time on the network. 

1 0 Additionally, in conventional network access systems, in order for a user to 

connect to on-line services (e.g., the Internet), the user must install client side software 
onto the user's computer. Client side software is typically provided by a network 
administrator or network access provider, such as an ISP with whom the user has 
subscribed for Internet access, and enables the cHent to configure his or her computer to 

1 5 communicate with that network access provider. Continuing with the illustrative 

example of a user accessing the Internet via an ISP, the user must install ISP software on 
the client computer, and thereafter establish an account with the ISP for Internet access. 
Typically, a user subscribes to an ISP, such as America Online™, Earthlink ™, 
Compuserve ™ or the like, by contracting directly with the ISP for Internet access. 

20 Usually, the user pays for such hitemet access on a monthly fixed fee basis. Regardless 
of the user's location, the user may dial up an access number provided by the ISP and 
obtain Internet access. The connection is often achieved via a conventional telephone 
modem, cable modem, DSL connection, or the like. 

Because users accessing networks through conventional methods, such as through 

25 ISPs, are either allowed or denied access to a network in an all or nothing approach, users 
cannot be dynamically authorized access to a network such that the user's access and 
authorization to particular networks or sites is customizable. What is needed is a method 
and system that allows users dynamic and customizable access that may vary based upon 
any number of variables associated with a user, such as a user location, user name or 

30 password, user computer, or other attributes. For example, it would be advantageous for 
some users to be authorized access to all Internet sites, while others may be denied access 
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to particular sites. In addition to authorizing user access to a network, it would be 
advantageous for a network, such as an ISP or enterprise network, to selectively permit 
users a range of authorization, such that the user's access is not based upon an all or 
nothing approach. 

5 

SUMMARY OF THE INVENTION 
The present invention includes a method and system for selectively implementing 
and enforcing Authentication, Authorization and Accounting (AAA) of users accessing a 
network via a gateway device. According to the present invention, a user may first be 

1 0 authenticated to determine the identity of the user. The authentication capability of the 
system and method of the present invention can be based upon a user ID, computer, 
location, or one or more additional attributes identifymg a source (e.g., a particular user, 
computer or location) requesting network access. Once authenticated, an authorization 
capability of the system and method of the present invention is customized based upon 

1 5 the identity of the source, such tiiat sources have different access rights based upon tiieir 
identity, and tiie content and/or destination requested. For instance, access rights permit a 
first source to access a particular Internet destination address, while refusing a second 
source access to that same address. In addition, the authorization capability of the 
system and method of the present invention can be based upon the other information 

20 contained in the data transmission, such as a destination port, Internet address, TCP port, 
network, or similar destination address. Moreover, the AAA of the present invention can 
be based upon the content type or protocol being transmitted. By authenticating users in 
this manner, each packet can be filtered through the selective AAA process, so that a user 
can be identified and authorized access to a particular destination. Thus, each tune the 

25 user attempts to access a different destination, the user is subject to the AAA, so that the 
user may be prevented access from a particular site the AAA system and method deem 
inaccessible to the user based upon tiie user's authorization while permitting access to 
other sites that the AAA method and system deem accessible. Additionally, according to 
one embodiment of tiie invention, source access to the network may be tiracked and 

30 logged by the present invention for accounting and historical purposes. 
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According to one embodiment of the invention, there is disclosed a method for 
seiectably controUing and customizing source access to a network, wherein the source is 
associated with a source computer, and wherein the source computer has transparent 
access to the network via a gateway device and no configuration software need be 
5 installed on the source computer to access the network. The method includes receiving at 
the gateway device a request from the source computer for access to the network, 
identifying an attribute associated with the source based upon a packet transmitted from 
the source computer and received by the gateway device, and accessing a source profile 
correspondmg to the source and stored in a source profile database, wherein the source 
1 0 profile is accessed based upon the attribute, and wherein the source profile database is 
located extemal to the gateway device and in communication with the gateway device. 
The method also includes determining the access rights of the source based upon the 
? source profile, wherein access rights define the rights of the source to access the network. 

CP According to one aspect of the invention, determining the access rights of the 

1 5 source based upon the source profile includes determining the access rights of the source 
O based upon the source profile, wherein the access rights define the rights of the source to 

Q access a requested network destination. According to another aspect of the invention, the 

J" . method includes assigning a location identifier to the location from which requests for 

u access to the network are transmitted, and the location identifier is the attribute associated 

Q 20 with the source. Furthermore, according to the invention, accessing a source profile 
S corresponding to the source can include accessing a source profile stored in a source 

profile database, where the source profile database includes a remote authentication dial- 
in user service (RADIUS), or a lightweight directory access protocol (LDAP) database. 
According to yet another aspect of the invention, the method includes updating 
25 the source profile database when a new source accesses the network. Additionally, the 
method can include maintaining in the source profile database a historical log of the 
source's access to the network. Moreover, the attribute associated with the source can be 
based upon a MAC address, User ID or VLAN ID associated with the source computer 
from which the request for access to the network was transmitted. According to yet 
30 another aspect of the invention, receiving at the gateway device a request from a source 
for access can include the step of receiving a destination address from the source. 
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According to another embodiment of the invention, there is disclosed a system for 
selectably controlling and customizing access, to a network, by a source, where the 
source is associated with a source computer, and wherein the source computer has 
transparent access to the network via a gateway device and no configuration software 
5 need be installed on the source computer to access the network. The system includes a 
gateway device for receiving a request from the source for access to the network, and a 
source profile database in communication with the gateway device and located external to 
the gateway device, wherein the source profile database stores access information 
identifiable by an attribute associated with the source, and wherein the attribute is 
1 0 identified based upon a data packet transmitted fi-om the source computer and received by 
the gateway device. The system also includes a AAA server in communication with the 
gateway device and source profile database, wherein the AAA server determines if the 
5 source is entitled to access the network based upon the access information stored within 

:P the source profile database, and wherein the AAA server determines the access rights of 

7i 1 5 the source with the access rights defining the rights of the source to access destination 
;t sites via the network. 

□ According to one aspect of the invention, the packet received by the gateway 

' „ device includes at least one of VLAN ID, a circuit ID, and a MAC address. Additionally, 

3 according to another aspect of the invention, the source profile database includes a 

□ 20 remote authentication dial-in user service (RADIUS) or a lightweight directory access 
t protocol (LDAP) database. Furthermore, the source profile database can inchide a 

plurality of source profiles, wherein each respective source profile of the plurality of 
source profiles contains access information. According to the invention, each respective 
source profile can also contain historical data relating to the duration of network access 

25 for use in determining the charges due for the network access. According to yet another 
aspect of the invention, the source profile database can be located within the AAA server. 

According to another embodiment of the present invention, there is disclosed a 
method for redirecting a source attempting to access a destination through a gateway 
device, wherein soxirce is associated with a source computer, and wherein the gateway 

30 device enables the source to communicate with a network without requiring the source 
computer to include network software configured for the network. The method includes 
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receiving at the gateway device a request from the source to access the network, 
identifying the source based upon an attribute associated with the source, and accessing a 
source profile database located external to the gateway device, where the source profile 
database stores access rights of the source. The method fiirther includes determining the 

5 access rights of the source based upon the identification of the source, wherein the access 
rights defme the rights of the source to access destination sites via the network. 

According to one aspect of the invention, accessing a source profile database 
includes accessing a source profile database that includes a remote authentication dial-in 
user service (RADIUS), or a lightweight directory access protocol (LDAP) database. 

10 According to another aspect of the invention, tiie method can include assigning a location 
identifier to the location from which requests for access to the network are transmitted, 
wherein the location identifier is the attribute associated with the source. The method can 
also include updating the source profile database when a new source accesses the 
network, and maintaining in an accounting database a historical log of the source's access 

1 5 to the network, wherein the accounting database is in communication with tiie source 
profile database. 

According to yet another aspect of the invention, receiving at the gateway device 
a request from a source for access can include the step of receivmg a destination address 
from the source. Moreover, determining if the source computer is entitied to access the 

20 destination address can fiirther include denying the source computer access where the 
source profile indicates that the source computer is denied access. Determining if the 
source is entitied to access the network can also fiirther include directing the source to a 
login page when the source profile is not located within the source profile database. 

According to yet another embodiment of the invention, there is disclosed a system 

25 for enabling transparent communication between a computer and a service provider 
network. The system includes a computer, and a network gateway device in 
commxmication with the computer for connecting the computer to a computer network, 
where the network gateway device receives source data that represents a user attempting 
to access said computer network. The system also includes a service provider network in 

30 communication with tiie network gateway device, where tiie service provider network 
includes an authentication server located extemal to the network gateway device and in 
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communication with the network gateway device. The authentication server has therein a 
source profile database comprising source profiles that represent users authorized to 
access said computer network, and compares the source data to said source profiles to 
determine if the user attempting to access the computer network can access the computer 
5 network. 

According to one aspect of the invention, the system can include an accounting 
system for maintaining historical data concerning use of the service provider network. 
According to another aspect of the mvention, the authentication server includes a remote 
authentication dial-in user service (RADIUS), or a lightweight directory access protocol 

10 (LDAP) database. Furthermore, the source profile database can include a plurality of 
source profiles, where each respective source profile of the plurality of source profiles 
contams access information. According to yet another aspect of the invention, the source 
data includes an attribute associated with the computer and transmitted from the 
computer to the gateway device. According to anther aspect of the invention, the source 

1 5 data includes login information associated with a respective user. 

The Authentication, Authorization and Accounting method and system according 
to the present invention enable users transparent access to a computer network employing 
a gateway device. Therefore, each user may have differing rights to access services, sites 
or destinations via the network. Thus, the present invention differs from conventional 

20 AAA methods and systems by offering dynamic AAA services which authenticate users 
and offer those users varying degrees of authorization to utilize the accessed network. 
Furthermore, the source profile database of the present invention can be located external 
to the gateway device, and on a network non-local to the network from which access is 
requested. An extemal source profile database is desirable because each gateway device 

25 allows a finite number of users to access the network, so that multiple gateway devices 
may be required. Additionally, administering and maintaining one consolidated database 
of authentication data is easier than multiple smaller databases. Moreover, locating the 
database extemal to the local network allows an ISP or third party provider to maintain 
the confidentiality of the information stored within the database and maintain and control 

30 the database in any manner the third party provider so desires. 
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BRIEF DESCRIPTION OF THE DRAWINGS 
FIG. 1 is a block diagram of a computer system that includes a AAA server for 
authenticating, authorizing and accounting sources accessing networks and/or online 
services, according to one embodiment of the present invention. 
5 FIG. 2 is a flov^ chart of a method in v^hich a AAA server performs 

authentication, authorization, and accounting, according to one aspect of the mvention. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 
The present invention now will be described more fully hereinafter with reference 
1 0 to the accompanying drawings, in which preferred embodiments of the invention are 
shown. This invention may, however, be embodied in many different forms and should 
not be construed as limited to the embodiments set forth herein; rather, these 
O embodiments are provided so that this disclosure will be thorough and complete, and will 

rp fiilly convey the scope of the invention to those skilled in the art. Like numbers refer to 

f a 15 like elements throughout. 

C3 Referring now to FIG. 1, a computer system 10 is illustrated in block diagram 

5 form. The computer system 10 includes a plurality of computers 14 that can 

: , communicate with one or more online services 22 or networks via a gateway device 12 

C3 providing the interface between the computers 14 and the various networks 20 or online 

20 services 22. One embodiment of such a gateway device has been described in U.S. 
S2 Patent Application No. 08/8 1 6, 1 74 (referred to herein as the Gateway Device 

Application), the contents of which are incorporated herein by reference. Briefly, the 
gateway device 12 facilitates transparent computer 14 access to the online services 22 or 
networks 22, such that the computers 14 can access any networks via the device 12 
25 regardless of their network configurations. Additionally, the gateway device 12 includes 
the ability to recognize computers attempting to access a network 12, the location of 
computers attempting to access a network, the identity of users attempting to gain 
network access, and additional attributes, as will be discussed below vnth respect to the 
dynamic AAA methods and systems of the present invention. 
30 As illustrated in FIG. 1, the computer system 10 also includes an access 

concentrator 16 positioned between the computers 14 and the gateway device 12 for 
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multiplexing the signals received from the plurality of computers onto a link to the 
gateway device 12. Depending upon the medium by which the computers 14 are 
connected to the access concentrator, the access concentrator 16 can be configured in 
different manners. For example, the access concentrator can be a digital subscriber line 
5 access multiplexer (DSLAM) for signals transmitted via regular telephone lines, a cable 
head end (a Cable Modem Termination Shelf (CMTS)) for signals transmitted via coaxial 
cables, a wireless access point (WAP) for signals transmitted via a wireless network, a 
switch, or the like. 

The computer system 10 further includes a AAA server 30 that dynamically 
1 0 authenticates and authorizes user access, as explained in detail below, such that users are 
subjected to a AAA process upon attempting to gain access to a network through the 
gateway device 12. Finally, as is shown m FIG. 1, the computer system 10 typically 
Q mcludes one or more routers 18 and/or servers (not shown in FIG. 1) to control or direct 

CP traffic to and from a plurality of computer networks 20 or other online services 22. 

fij 1 5 While the computer system 10 is depicted to have a single router, the computer system 10 
O can have a plurality of routers, switches, bridges, or the like that are arranged in some 

□ hierarchical fashion in order to appropriately route traffic to and from the various 

^ . networks 20 or online services 22. In this regard, the gateway device 12 typically 

0 establishes a Unk with one or more routers. The routers, in turn, establish links with the 

S 20 servers ofthe networks 20 or online services 22, based upon the user's selection. It will 
2 be appreciated by one of ordinary skill in the art that one or more devices illustrated in 

FIG, 1 may be combinable. For example, although not shown, the router 18 may be 
located entirely within the gateway device 12, 

Users and computers attempting to access a network 20 or online service 22 via 
25 the gateway device 12 are referred to hereinafter as sources. Accorduig to AAA methods 
and systems ofthe present invention, a source attempting to access a network via the 
gateway device 12 is authenticated based on attributes associated therewith. These 
attributes can include the identity of a particular user or computer, location through which 
access is requested, requested network or destination, and the like. As is explained in 
30 detail in the Gateway Device Application, these attributes are identified by data packets 
transmitted to the gateway device 12 from the computers through which access is 
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requested. According to one embodiment, methods and systems of the present invention 
provide dynamic authentication, authorization and accounting based upon these 
attributes. Generally, as used herein authentication refers to tiie identification of the 
source, authorization refers to the determination of permittable source access, and 

5 accounting refers to the tracking of a source's access to a network. 

Referring now to the authentication function of systems and methods of present 
invention, it will be appreciated that authenticating a source attempting to access the 
network is often crucial to network administration, as network access and services are not 
typically laid open for all users regardless of identity or payment. As stated above, a 

1 0 source may be identified by the gateway device 12 by one or more attributes contained 
within data packets transmitted to the device from the computer associated with the 
source attempting to access a network or service, referred to hereinafter as the source 
computer. For instance, where the source is a user, tiie source computer is the computer 
through which the user is attempting to access a network or network destination. On the 

1 5 other hand, where the source is a computer through which one or more user may request 
access to a network, the source computer is that computer tiirough which access is 
requested. 

According to one aspect of the invention, a source computer attempting to access 
a network via the gateway device 12 may be identified one or more attributes that include 

20 a curcuit ID, MAC address, user name, ID and/or password, or particular location (e.g., a 
communications port in a hotel room), or the like, tiansmitted to the gateway device 12 
via data packets generated by tiie source computer, as described in U.S. Provisional 
Application Serial No. 60/161,093, titled "Location-Based Identification and 
Authorization for use With a Gateway Device." It will be appreciated that one or more of 

25 these attributes can be used in the present invention to identify the source accessing tiie 
network. By means of an illustrative example, where sources are different users having 
dissimilar autiientication and authorization rights, the users may identify tiiemselves by 
then respective logm information (e.g., user name and password) such that they will be 
independently identified despite the use of the same equipment, such as the same 

30 computer. On the other hand, where tiie source is a computer, diverse users using the 
computer will have like authentication and autiiorization rights regardless of the 
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individual rights of each user, as the rights are associated with the computer (e.g., 
identified by MAC address), rather than with the respective users. 

The authentication of sources via an attribute associated with the source is 
performed by the AAA server 30, illustrated in FIG. 1. The AAA server 30 stores source 

5 profiles corresponding to sources identified by the AAA server 30. According to one 
aspect of the present invention, the AAA server 30 is located entirely within the gateway 
device 12. Accordmg to another aspect of the invention, the AAA server 30 can 
comprise a plurality of components, at least some of which are external to the gateway 
device 12, or alternatively, the AAA server 30 can be located entirely external to the 

1 0 gateway device 12. For example, the location of the AAA server 30 may be such that the 
gateway device 12 communicates with the AAA server 30 via internet protocol. 
According to one embodiment of the invention, the AAA server 30 can be maintained by 
an ISP, which identifies sources authorized to communicate with the network via the ISP. 
Therefore, it will be appreciated that the AAA server 30 may be located at any internet 

1 5 address and stored on any computer accessible via internet protocol. 

According to one aspect of the invention, a separate source profile exists for each 
source accessing the system. Source profiles are maintained in a source profile database, 
which may be an internal component of the AAA server 30, an external component of the 
AAA server 30, or a separate component m commimication with the AAA server 30. 

20 Preferably, the source profile database is located external to the gateway device and 
network to alleviate administrative burden on the network so that the network does not 
have to set up and maintain separate authentication databases on each network or 
gateway device. This is also preferable because each gateway device 12 allows a finite 
number of users to access the network, which requires multiple gateway devices to 

25 accommodate a large number of sources. Secondly, administering and maintaining one 
consolidated database of authentication data is easier than multiple smaller databases. 
Lastly, locating the source profile database external to the local network can allow an ISP 
or third party provider to maintain the confidentiality of the information stored within the 
database and maintain and control the database in any manner the third party provider so 

30 desires. 
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The source profile includes one or more names, passwords, addresses, VLAN 
tags, MAC addresses and other mformation pertinent to identify, and, if so desired, bill, a 
source. Upon a source's attempt to access a network via the gateway device 12, the AAA 
server 30 attempts to authenticate the source by comparing stored source profiles in the 

5 source profile database with the attributes received firom the gateway device 12 or source 
to determine the source identity. As an illustrative example, where a user attempts to 
access the network by entering a user ID and password, the user ID and password are 
compared against all IDs and passwords stored in the source profile database to 
determine the identity of the user. As such, the source profile database generally 

1 0 comprises a database or data storage means in communication with processing means 
located within the AAA server 30 or gateway device 12, where the source profile 
database and processor work in conjunction to compare received attributes to stored 
source profile information, as is well known in the art. 

The source profile database may comprise programmable storage hardware or like 

1 5 means located on a conventional personal computer, mainframe computer, or another 
suitable storage device known in the art. Additionally, the means for comparing the 
received data to the data within the database can comprise any software, such as an 
executable software program, which can compare data. For example, the AAA server 30 
may store source profiles on a hard drive of a personal computer, and the means for 

20 comparing the received source data to the source profiles resident on the computer can 
include computer software, such as Microsoft Excel (Microsoft Excel is a trademark of 
Microsoft Corporation, Redmond, Washington). According to another embodiment of 
the invention, the AAA server 30 or source profile database can comprise a Remote 
Authentication Dial-In User Service (RADIUS) or a Lightweight Directory Access 

25 Protocol (LDAP) database, which are well known to those of skill in the art. 

If a source fails to correspond to a source profile in the AAA server 30 at the tune 
of authentication, the source will not be permitted access to the network. When this 
occurs, a user or ixser associated with a non-user source may be requested to input source 
profile information to the AAA server 30 so that the AAA server 30 can add Ihe source's 

30 profile to the AAA server 30, and more specifically, to Hie source profile database. For 
example, this may occur the first tune a user attempts to access the gateway device 12. 
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According to another aspect of the invention, where the source cannot be identified, the 
source may be directed to a login page in order to gather additional information to 
identify the source. For instance, the information may be entered with the aid of a 
webpage, a pop-up control panel or user interface, which can open when the source 

5 initially connects to the gateway device 12, as effectuated by a home page redirection 
capability, described herein and in U.S. Patent Application, Serial No. 09/458,569, filed 
December 8, 1999, entitled "Systems And Methods For Redirecting Users Having 
Transparent Computer Access To A Network Using A Gateway Device Having 
Redirection Capability" (referred to heremafter as the "Redirection Application"), in U.S. 

10 Patent Application, Serial No. 09/458,579, fUed December 8, 1999, entitled "Systems 
And Methods For Redirecting Users Having Transparent Computer Access To A 
Network Using A Gateway Device Having Redirection Capability," and in U.S. Patent 
AppUcation, Entitled "Systems and Methods for Redirecting Users Attempting to Access 
a Network Site," filed concurrently herewith, inventors Joel Short and Florence Pagan, 

1 5 the contents of each of which are incorporated herein by reference. 

According to one aspect of the invention, the AAA server 30 can identify the 
source in communication with the gateway device in a manner that is transparent to 
computer users. That is, according to one aspect of the invention, a user will not be 
required to input identification information, reconfigure the source computer or otherwise 

20 change the source computer's primary network settings. Furthermore, no additional 
configuration software will have to be added to the source computer. After a packet is 
received by the gateway device, attributes identified by the data packet can be compared 
with the data contained in the source profile database. Therefore, in addition to not 
requiring the reconfiguration of computers accessing the network, AAA servers of the 

25 present invention have the ability to authenticate sources without requiring interactive 
steps by the computer user, such as the entering of a user ID. For instance, the AAA 
server 30 may automatically identify the source based upon a MAC address, so that 
authorization of the source can be readily determined. Therefore, it will be appreciated 
that the AAA server 30 can determine the user, computer, or location from which access 

30 is requested by comparing the attributes associated with the received data packet (such as 
in a header of the data packet) with data drawn from the source profile database. As will 
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be described below, the access rights associated with the source may also be stored 
within the source profile database so that the system and method of the present invention 
can dynamically authorize access to particular services or destinations. 

Once the source has established the network service connection via the 
5 authentication process discussed above, and a tunnel has been opened to facilitate a 
coromunication line between the source computer and a network, the gateway device 12 
communicates with the AAA server 30 to assemble source profile information, or source- 
specific data. The source profile information that the gateway device assembles may 
include a MAC address, name or ID, circuit ID, billing scheme related data, service level 
1 0 data, user profile data, remote-site related data, and like data related to the source. As 
such, the AAA server 30 can transmit to the gateway device 12 any requisite information 
relating to the source's authorization rights and use of the network, as is next explained in 
detail. 

^ In addition to authenticating users, the AAA server 30 of the present invention 

y 1 5 provides an authorization fimction, in which the source access rights are determined. The 
^ present invention enables dynamic authorization of sources, such that each source might 

C3 have different respective network usage or access rights. After authentication, the AAA 

server 30 compares the attributes of the source with the access rights of the source 
associated with the user, computer, location or attribute(s). The access rights may be 
O 20 stored vnthin the source profile database or within a separate subscription database 
5 located internal or external to the gateway device 12. Therefore, separate databases may 

be utilized, where one stores identification information on sources for authentication, and 
another database stores the access rights of those sources that have been authenticated. 
However, because the profiles of all sources, identified by attribute or a combination of 
25 attributes, are stored in a source profile database, it may be advantageous to locate 

information regarding access rights in the source profile database, which already contains 
information regarding each authenticated source, as described above. 

According to one aspect of the invention the source profile database stores 
information defining the access rights of a source. For example, a source profile database 
30 may contain information indicating that a source having a particular MAC address has 
purchased pre-paid access, or that a given circuit ID has free access or unlimited access. 
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Guests in a particular room or rooms of a hotel, for example, suites and penthouses, may 
receive free unlimited Internet access. Therefore, access rights can be available 
contingent upon the source's location (e.g. room) or location status (e.g. suite). In this 
event, no ftirther identification is required, as the location from which the source is 
5 requesting access is known to the gateway device and stored in the source profile 
database. 

In addition to storing information concerning what each source is authorized to 
access, the source profile database can also include specialized access information 
associated with a particular source, such as the bandwidth of the source's access, or a 
1 0 homepage to which the source should be directed. For example, a user accessing the 

network from a penthouse may receive a higher access baud rate than someone accessing 
the network from a typical hotel room. For example, where a user is transparently 
accessmg the gateway device from a hotel room, the hotel network administrator may 
enter user access mformation into the source profile database based upon access rights 
1 5 associated with a room in the hotel. This can also be done automatically by the gateway 
device or a local management system, such as a hotel property management system, 
when the user checks into his or her room. Additionally, the user may estabhsh the 
mformation to be contained within the source profile database upon first accessing the 
gateway device. For instance, a new user may be directed to enter a credit card number, 
20 e-wallet account information, pre-paid calling card number or like billing information to 
obtain access to the system. A source profile can also include historical data relatmg to a 
source's access to the network, including the amount of time a source has accessed the 
network. Specialized access or accounting information contained within the source 
profile database may be established by the system administrator, or by the source who 
25 has purchased or otherwise estabUshed access to the network. 

According to one aspect of the invention, the authorization capability of the AAA 
server 30 can be based upon the type of services the source is attempting to access, such 
as a destination address, identified by the gateway device 12 based upon data received 
from the source computer. The destination can be a destination port, hitemet address, 
30 TCP port, network, or the like. Moreover, the authorization capability of the AAA server 
30 can be based upon the content type or protocol being transmitted. According to the 
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system and method of the present invention, each packet can be filtered through the 
selective AAA process, so that any or all sources can be authorized access to a particular 
destination based on the access rights associated with the respective sources. Therefore, 
according to the present invention, each time the source attempts to access a different 
5 destination, the source is subject to the AAA, so the source may be prevented access from 
a particular site the AAA server 30 deems inaccessible to the source based upon the 
source's authorization. Alternatively, the AAA method according to the present 
invention allows some or all sources to connect directly to a specific site, such as credit 
card or billing servers for collecting billing information, which can collect payment or 

1 0 billing information so that the source profile can be updated and the source thereafter 
authorized access to networks. According to the system and method of the present 
invention, a source's authorization can also depend upon objective criteria, such as a 
specific time, so that the session can be terminated at a specific time, after a specific time 
has elapsed, or according to other dynamic information determined by the network 

1 5 provider. Furthermore, authorization can be associated with a combination of attributes. 
For example, a user may be authorized access to a network where the user has input the 
user's identification and has accessed the network from a particular room. Such a 
requirement could prevent unauthorized users also staying in a particular room from 
obtaining network access. Therefore, AAA can be based upon the origination, 

20 destination, and type of traffic. 

By way of further explanation, a flow chart of the operation of the AAA server 30 
will be described with respect to FIG. 2, according to one aspect of the invention. In 
operation, a source computer requests (block 200) access to a network, destination, 
service, or the like. Upon receiving a packet transmitted to the AAA server 30, the AAA 

25 server 30 examines the packet to determine the identity of the source (block 210). The 
attributes transmitted via the packet are temporarily stored in the source profile database 
so that the data can be examined for use in determining authorization rights of the source. 
The attributes contained in the packet can include network information, source IP 
address, source port, link layer information, source MAC address, VLAN tag, circuit ID, 

30 destination IP address, destination port, protocol type, packet type, and the like. After 
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this information is identified and stored, access requested from a source is matched 
against the authorization of that source (block 230). 

Once a source profile has been determined by accessmg the authorization rights 
stored in the source profile database, three possible actions can result. Specifically, once 

5 a source's authorization rights have been retrieved the AAA server 30 may determine a 
source to have access 222, to be pending or in progress 224, or to not have access 226. 
First, a source is deemed valid (i.e., to have access) where the source profile database so 
states. If a source is determined to be valid, the source's traffic can be allowed to 
proceed out of the gateway device to the networks or online services the user associated 

1 0 with the source wishes to access (block 230). Alternatively, the source may be redirected 
to a portal page, as described in the Redirecting Application, prior to being allowed 
access to the requested network. For example, a user may be automatically forwarded to 
a user-mput destination address, such as an Internet address, for example, where a user 
has free access associated with the user's hotel room. Alternatively, this may occur 

1 5 where the user has already purchased access and the user has not exhausted available 

access time. Furthermore, an accounting message may be initiated 230 to log the amount 
of time the user is utilizing the gateway device such that the user or location may be 
billed for access. 

If the second scenario occurs, in which the source is deemed pending 224 or in 
20 progress, the source may take steps to become authenticated (block 240) so that the 
source information is recorded in the source profile database. For example, a user may 
have to enter into a purchase agreement, requiring the user to enter a credit card number. 
If the user needs to purchase access, or if the system needs additional information about 
the user, tiie user can be redirected from the portal page via Home Page Redirect (HPR) 
25 and Stack Address Translation (SAT) to a location, such as a login page, established to 
validate new users. SAT and HPR can intervene to direct the user to a webserver 
(external or internal) where tiie user has to login and identify themselves. This process is 
described in detail in the Redirecting Application. After inputting any necessary and 
sufficient information, the user is then be permitted access to a destination address (block 
30 230, 250). Where the information provided is insufficient the user will not be authorized 
access (block 260). Finally, a third scenario can occur in which a source is deemed not to 
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have access 226 so that the user is not permitted to access a destination via the network 
(block 260). 

Referring now to the accounting function of systems and methods of the present 
invention, upon authorizing a source network access, the AAA server 30 can register an 
5 accounting start to identify that the source is accessing the network. Similarly, when the 
source logs off or terminated the network session, an accounting stop can be registered by 
the AAA server 30. Accounting starts or stops can be identified by the gateway device 
12 or by the AAA server 30 upon a source's authentication or authorization to access a 
desired destination. Furthermore, accounting starts or stops can be registered in the 

10 source profile, or can be stored in a database separate from the AAA server 30 and 
located external to the network. Typically, accounting starts and stops include time 
stamps that indicate the amount of time a source has been accessing the network. Using 
this data, the time between the accounting start and accounting stop can be tallied so that 
the source's total connection time may be computed. Such information is valuable where 

1 5 the source is charged by an increment of time, such as an hour. A billing package, as are 
well known in the art, could then tally a user's total time accessing the network over a set 
period, such as each month, so that a bill can be created for the source. Because networks 
and ISPs often may charge a set rate for a specific duration of time (i.e., flat rate pricing), 
such as a month, regardless how much time is being spent accessing the network, 

20 accounting stops and starts may not be required for billing purposes. Nevertheless, 

accounting starts and stops may generally be recorded by the network provider or ISP for 
usage statistics. 

An ISP or similar access provider would additionally benefit from being able to 
track subscriber's use of the ISP to establish bills, historical reports, and other relevant 

25 information. Preferably, the AAA server 30 is in communication with one or more 

processors for determining any fees which may be charged to the source, or due from the 
source, for network access or services. The AAA server 30 retrieves the historical 
accounting data in a real time basis or after a specific interval of time has elapsed. 
Preferably, the AAA server 30 retains such data in an easily accessible and manipulatable 

30 format such that the access provider (e.g., ISP) can produce reports representative of any 
desired type of historical data. For example, to project future use of the access provider. 
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the AAA server 30 produces reports tallying the number of users accessing the Internet at 
certain time periods and from specific locales. Moreover, where the access provider 
provides alternative access to users, such as charging for faster connections (i.e., higher 
baud rate) for additional fees, the access provider may wish to analyze historical data 

5 using the AAA server 30 to best meet future customer demands. Such data may relate to 
network sessions currently on-going, the duration of those sessions, the bandwidth 
currently being used, the number of bytes that have been transferred and any other 
pertinent information. The AAA server 30 may be implemented using well known 
programs, such as Eclipse Internet Billing System, Kenan Broadband Internet Billing 

10 Software (manufactured by Lucent Technologies), or TRU RADIUS Accountant. 

It will be appreciated that the AAA server 30 can dynamically account source 
access to a network in the same manner in which access is customizable on a source by 
source basis. That is, the AAA server 30 can maintain accounting records that vary 
depending upon the identity of a source, source location, source requested destination, or 

1 5 the like. Like the access or authorization rights, this information can be maintained in the 
source profile database or a similar accounting database. For instance, the AAA server 
30 may determine that a particular source is only charged for accessing particular sites, 
and will only register an accounting site when those particular sites are accessed. 
Therefore, the AAA server 30 will identify account information stored in the subscriber's 

20 source profile to determine accounting starts, accounting stops, billing rates, and the like. 

Many modifications and other embodiments of the invention will come to mind to 
one skilled in the art to which this invention pertains having the benefit of the teachings 
presented in the foregoing descriptions and the associated drawings. Therefore, it is to be 
understood that the invention is not to be limited to the specific embodiments disclosed 

25 and that modifications and other embodiments are intended to be included within the 
scope of the appended claims. Although specific terms are employed herem, they are 
used in a generic and descriptive sense only and not for purposes of limitation. 
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THAT WHICH IS CLAIMED: 

1 . A method for selectably controlling and customizing source access to a 
network, wherein the source is associated with a source computer, and wherein the source 

5 computer has transparent access to the network via a gateway device and no 

configuration software need be installed on the source computer to access the network, 
comprising: 

receiving at the gateway device a request firom the source computer for 
access to the network; 

10 identifying an attribute associated with the source based upon a packet 

transmitted from the source computer and received by the gateway device; 

accessing a source profile corresponding to the source and stored in a 
source profile database, wherein the source profile is accessed based upon the attribute, 
and wherein the source profile database is located external to the gateway device and in 
1 5 communication with the gateway device, and 

determining the access rights of the source based upon the source profile, 
wherein access rights define the rights of the source to access the network. 

2. The method of claim 1 , wherein determining the access rights of the 
20 source based upon the source profile comprises determining the access rights of the 

source based upon the source profile, wherein access rights define the rights of the source 
to access a requested network destination. 

3. The method of claim 1, fiirther comprising assigning a location identifier 
25 to the location from which requests for access to the network are transmitted, and 

wherein the location identifier is the attribute associated with the source. 

4. The method of claim 1 , wherein accessing a source profile corresponding 
to the source comprises accessing a source profile stored in a source profile database, 

30 wherein the source profile database comprises a remote authentication dial-in user service 
(RADIUS). 
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5. The method of claim 1, wherein accessing a source profile corresponding 
to the source comprises accessing a source profile stored in a source profile database, 
wherein the source profile database comprises a lightweight directory access protocol 

5 (LDAP) database. 

6. The method of claim 1, further comprising updating the source profile 
database when a new source accesses the network. 

10 7. The method of claim 1 , further comprising maintaining in the source 

profile database a historical log of the source's access to the network. 

8. The method of claim 1, wherein the attribute associated with the source is 
based upon one of a MAC address, User ID or VLAN ID associated with the source 

1 5 computer from which the request for access to the network was transmitted. 

9. The method of claim 1 , wherein receiving at the gateway device a request 
from a source for access comprises the step of receiving a destination address from the 
source. 

20 

10. A system for selectably controlling and customizing access, to a network, 
by a source, where the source is associated with a source computer, and wherein the 
source computer has transparent access to the network via a gateway device and no 
configuration software need be installed on the source computer to access the network, 

25 comprising: 

a gateway device, wherein the gateway device receives a request from the 
source for access to the network; 

a source profile database in communication with the gateway device and 
located external to the gateway device, wherein the source profile database stores 
30 access information identifiable by an attribute associated with the source, and 
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wherein the attribute is identified based upon a data packet transmitted from the 
source computer and received by the gateway device, and 

an Authentication, Authorization and Accounting (AAA) server in 
communication with the gateway device and source profile database, wherein the 
5 AAA server determines if the source is entitled to access the network based upon 

the access information stored within the source profile database, and wherein the 
AAA server determines the access rights of the source, wherein access rights 
define the rights of the source to access destination sites via the network. 



10 11. The system of claim 1 0, wherein the packet received by the gateway 

device include at least one of VLAN ID, a circuit ID, and a MAC address. 

12. The system of claim 10, wherein the source profile database comprises a 
remote authentication dial-in user service (RADIUS). 

13. The system of claim 10, wherein the source profile database comprises a 
lightweight directory access protocol (LDAP) database. 

14. The system of claim 10, wherein the source profile database includes a 
plurality of source profiles, wherein each respective source profile of the plurality of 
source profiles contains access information. 

15. The system of claim 14, wherein each respective source profile contains 
historical data relating to the duration of network access for use in determining the 

25 charges due for the network access. 

16. The system of claim 10, wherein the source profile database is located 
within the AAA server. 




30 17. A method for redirecting a source attempting to access a destination 

through a gateway device, wherein source is associated with a source computer, and 
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wherein the gateway device enables the source to communicate with a network without 
requiring the source computer to include network software configured for the network, 
comprising: 

receiving at the gateway device a request from the source to access the 

5 network; 

identifying the source based upon an attribute associated with the source; 
accessing a source profile database located external to the gateway device, 
the source profile database storing access rights of the source; 

determming the access rights of the source based upon the identification of 
10 the source, wherein the access rights define the rights of the source to access destination 
sites via the network. 

1 8. The method of claim 17, wherein accessing a source profile database 
comprises accessing a source profile database comprising a remote authentication dial-in 

1 5 user service (RADIUS). 

19. The method of claim 1 7, wherein accessing a source profile database 
comprises accessing a source profile database comprising a Ughtweight directory access 
protocol (LDAP) database. 

20 

20. The method of claim 17, further comprising assigning a location identifier 
to the location from which requests for access to the network are transmitted, and 
wherein the location identifier is the attribute associated with the source. 

25 21. The method of claim 1 7, further comprising updating the source profile 

database when a new source accesses the network. 

22. The method of claim 17, further comprising maintaining in an accounting 
database a historical log of the source's access to the network, wherein the accounting 
30 database is in communication with the source profile database. 
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23 . The method of claim 1 7, wherein receiving at the gateway device a 
request from a sovirce for access comprises the step of receiving a destination address 
from the source. 

24. The metiiod of claim 1 9, wherein determining if the source computer is 
entitled to access the destination address further comprises denying the source computer 
access where the source profile indicates that the source computer is denied access. 

25. The method of claim 1 7, wherein determining if the source is entitled to 
access the network further comprises directing the source to a login page when the source 
profile is not located within the source profile database. 

26. A system for enabling transparent communication between a computer 
and a service provider network, comprising: 

a computer; 

a network gateway device in communication with the computer for 
connecting the computer to a computer network, wherein the network gateway device 
receives source data that represents a user attempting to access the computer network; 
and 

a service provider network in communication with the network gateway 

device, comprising 

an authentication server located external to the network gateway device 
and in communication with the network gateway device and having therein a source 
profile database comprising source profiles that represent users authorized to access the 
computer network, wherein the authentication server compares the source data to the 
source profiles to determine if the user attempting to access the computer network can 
access the computer network. 

27. The system of claim 26, further comprising an accounting system for 
maintaining historical data concerning use of the service provider network. 
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28. The system of claim 26, wherein the authentication server comprises a 
remote authentication dial-in user service (RADIUS). 

29. The system of claim 26, wherein the authentication server comprises a 
5 lightweight directory access protocol (LDAP) database. 

30. The system of claim 26, wherein the source profile database includes a 
plurality of source profiles, wherein each respective source profile of the plurality of 
source profiles contains access information. 

10 

3 1 . The system of claim 26, wherein the source data comprises an attribute 
associated with the computer and transmitted from the computer to the gateway device. 

32. The system of claim 26, wherein the source data comprises login 
1 5 information associated with a respective user. 



ATL01/I0823107v2 



-26- 



Attorney Docket No. 42253/205301 



SYSTEMS AND METHODS FOR PROVIDING DYNAMIC NETWORK 
AUTHORIZATION, AUTHENTICATION AND ACCOUNTING 

ABSTRACT OF THE DISCLOSURE 
Systems and methods for selectably controlling and customizing source access to 
a network, where the source is associated with a source computer, and wherein the source 
computer has transparent access to the network via a gateway device and no 
configuration software need be installed on the source computer to access the network. A 
user may be prevented access from a particular destination or site based upon the user's 
authorization while being permitted to access to other sites that the method and system 
deems accessible. The method and system can identify a source without that source's 
knowledge, and can access customizable access rights corresponding to that source in a 
source profile database. The source profile database can be a remote authentication dial- 
in user service (RADIUS) or a lightweight directory access protocol (LDAP) database. 
The method and system use source profiles within the source profile database to 
dynamically authorize source access to networks and destinations via networks. 
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